Detecting Anomalous I/O Patterns Indicative of Ransomware Attacks

2. The computer-implemented method of claim 1, wherein identifying the pattern includes identifying, by the I/O proxy device and within the plurality of I/O messages, a repeating set of operations to read a block of the storage volume, modify the block of the storage volume, and write the modified block to the storage volume.

5. The computer-implemented method of claim 4, wherein identifying the pattern includes identifying, by the I/O proxy device and within the plurality of I/O messages, a repeating set of operations to read a block of the storage volume, modify the block of the storage volume, and write the modified block to the storage volume.

7. The computer-implemented method of claim 4, wherein the storage device is part of the computer system, and wherein the plurality of I/O messages indicate operations performed relative to blocks of the storage volume.

8. The computer-implemented method of claim 4, wherein the storage volume is managed by a block-storage service of a cloud provider and is accessed by the computer system over a network.

9. The computer-implemented method of claim 4, wherein the action includes generating an alert notifying a user associated with the computer system that the process is malicious.

10. The computer-implemented method of claim 4, wherein the computer system is coupled to a control plane of a cloud provider, and wherein the method further comprises receiving, by the computer system, a request to enable detection of malicious activity.

11. The computer-implemented method of claim 4, wherein the action performed responsive to identifying the pattern indicating that the process is malicious comprises sending, to a security posture management service of a cloud provider, data indicating that the process is malicious, wherein the data indicating that the process is malicious is sent to the security posture management service while the process is performing a ransomware attack.

12. The computer-implemented method of claim 4, wherein the action performed responsive to identifying the pattern indicating that the process is malicious comprises causing the computer system to throttle or to block I/O operations.

14. The computer-implemented method of claim 4, wherein the action performed responsive to identifying the pattern indicating that the process is malicious comprises generating a snapshot of the storage volume.

16. The system of claim 15, wherein the compute instance is performing a ransomware attack, and wherein the computer system includes instructions that upon execution cause the computer system to identify, by the I/O proxy, the pattern based on identifying, by the I/O proxy device and within the plurality of I/O operations, a repeating set of operations to read a block of the storage volume, modify the block of the storage volume, and write the modified block to the storage volume.

17. The system of claim 15, wherein the storage volume resides on a storage device that is part of the computer system, and wherein the plurality of I/O messages indicate operations performed on blocks of the storage volume.

18. The system of claim 15, wherein the storage volume is managed by a block-storage service of a cloud provider and is accessed by the computer system over a network.

19. The system of claim 15, wherein the action includes generating an alert notifying a user associated with the computer system affected by the malicious process.

20. The system of claim 15, wherein the computer system is coupled to a control plane of a cloud provider, and wherein the instructions upon execution further cause the computer system to receive a request to enable detection of malicious processes.